On Fri, Nov 4, 2016 at 11:51 AM Julian Andres Klode <
jak@debian.org> wrote:
We really need to get rid of the DSA keys too though. I just never added a
check for DSA keys themselves, as I thought I covered that with the SHA1
and RIPEMD check. I should probably fix that, if possible.
So, it's an accident that this works - the intention is to get rid of DSA
keys too. We even got rid of them for the personal DD keys already.
OK. Got it. As I wrote I'm also working on switching the key, but the extra time does help.
Repositories are supposed to ship a key in /etc/apt/trusted.gpg.d in some
package, usually a keyring package. (You could also have a repo config package
that also adds a file to sources.list.d). Some repositories, like the Google
ones add the sources.list, gpg key to their main package - they only have
one package per repo.
Thank you.
Would you kindly point me to one package that ships a key in /etc/apt/trusted.gpg.d? I want to use it as a reference / yardstick to do my work.